.NET-based Snake Keylogger Attack Windows Using Weaponized Excel Documents

Researchers uncovered a sophisticated phishing campaign that exploits a .NET-based Snake Keylogger variant.

This attack leverages weaponized Excel documents to infiltrate Windows systems, posing significant threats to user data security.

This article delves into the mechanics of the attack, the techniques employed by the malware, and the implications for users and organizations.

- Advertisement -

Understanding Snake Keylogger

Snake Keylogger, also known as “404 Keylogger” or “KrakenKeylogger,” is notorious malware that was initially distributed on hacker forums as a subscription-based service.

This .NET-based software is designed to steal sensitive data, including saved credentials from web browsers, clipboard content, and basic device information.

It can also log keystrokes and capture screenshots, making it a potent tool for cybercriminals.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

The Phishing Email

Fortinet’s FortiGuard Labs reported that the attack begins with a phishing email that attempts to deceive recipients into opening an attached Excel file named “swift copy.xls.”

The email claims that funds have been transferred into the recipient’s account, a common tactic to lure victims into action.

FortiGuard services mark these emails with a “[virus detected]” warning in the subject line, but unsuspecting users may still fall for the trap.

The Malicious Excel Document

Upon opening the Excel file, malicious code is executed in the background. The document contains a specially crafted embedded link object that exploits the CVE-2017-0199 vulnerability to download additional malicious files.

This process is covert, with the Excel program secretly requesting a URL that leads to further malware downloads.

The attack chain continues by downloading an HTML Application (HTA) file, executed by the Windows application host (mshta.exe).

This file contains obfuscated JavaScript code that, once decoded, reveals VBScript and PowerShell scripts.

These scripts are responsible for downloading and executing the Snake Keylogger’s loader module, a critical attack component.

The Loader Module

The downloaded executable file, the Loader module, is developed using the Microsoft .NET Framework.

It employs multiple-layer protection techniques, including transformation and encryption, to evade detection by cybersecurity products.

The Loader module extracts and decrypts several components from its resource section, essential for deploying the core Snake Keylogger module.

Deploy Module and Persistence

The Deploy module, extracted from the Loader, ensures Snake Keylogger’s persistence on the victim’s system.

It renames the Loader module file, sets it as hidden and read-only, and creates a scheduled task in the system Task Scheduler to launch at startup.

This module also performs process hollowing, a technique that allows the malware to hide its operations by injecting malicious code into a new process.

The Snake Keylogger attack highlights the evolving tactics of cybercriminals and the importance of robust cybersecurity measures.

Users and organizations must remain vigilant, employing updated antivirus software and exercising caution with email attachments.

Awareness and education are crucial in preventing sophisticated attacks from compromising sensitive data.

The .NET-based Snake Keylogger attack via weaponized Excel documents represents a significant threat to Windows users.

By understanding the attack’s mechanics and employing proactive security measures, individuals and organizations can better protect themselves against this and similar cyber threats.

IOCs

URLs

hxxp://urlty[.]co/byPCO
hxxp[:]//192.3.176[.]138/xampp/zoom/107.hta
hxxp[:]//192.3.176[.]138/107/sahost.exe

Relevant Sample SHA-256

[swift copy.xls]
8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7

[107.hta]
6F6A660CE89F6EA5BBE532921DDC4AA17BCD3F2524AA2461D4BE265C9E7328B9

[The Loader module/sahost.exe / WeENKtk.exe / utGw.exe]
484E5A871AD69D6B214A31A3B7F8CFCED71BA7A07E62205A90515F350CC0F723

[Snake Keylogger core module / lfwhUWZlmFnGhDYPudAJ.exe]
207DD751868995754F8C1223C08F28633B47629F78FAAF70A3B931459EE60714

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial